Do you know why I get the following error message?
vols{}.Instrument is a valid field but it doesn't like the {}.
index=gasvol | head 1 | eval Contract=vols{}.Instrument + " " + vols{}.SequenceItem | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume
Error in 'eval' command: The operator at '{}.Instrument' is invalid.
You go two options here
Rename so that special characters are removed by the field names
index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume
Enclose the fields within single quotes for eval and where commands
index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume
I worked it, you need to split the JSON array using spath then use mvexpand to extract the collection.
index=gasvol | head 1 | spath output=myfield path=vols{} | mvexpand myfield | spath input=myfield | eval Contract=Instrument. " " .SequenceItem | table Contract Broker Volume
Thanks both for your help.
This resolved the problem but when I try to join Instrument and SequenceItem the field is blank. It doesn't seem to structure the results like it does display in the table, if I do min then it gives me a value but not the correct value eval Contract2=min(Instrument)." ".min(SequenceItem).
index=gasvol | head 1 | rename vols{}.* as * | table Instrument SequenceItem Broker Volume Contract Contract2 | eval Contract=Instrument." ".SequenceItem
Thanks
Still doesn't work, I think it's related to the level that eval handles events. Any eval events doesn't seem to work on a row basis.
The source data is JSON and Splunk is extracing the collection.
[{"Volume": 10, "Instrument": "FTSE100", "Broker": "FTSE", "SequenceItem": "SPOT"}, {"Volume": 20, "Instrument": "FTSE250", "Broker": "LSE", "SequenceItem": "SPOT"}
Try rearranging things a little:
index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument." ".SequenceItem | eval Contract2=min(Instrument)." ".min(SequenceItem) | table Instrument SequenceItem Broker Volume Contract Contract2
You go two options here
Rename so that special characters are removed by the field names
index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume
Enclose the fields within single quotes for eval and where commands
index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume
I suggest you rename the data model, if you can. Using special characters other than '_' is asking for trouble.
If you can't rename the model itself, try using the rename
search command to change "vols{}" to "vols".
index=gasvol | head 1 | rename "vols{}" as vols | eval Contract=vols.Instrument + " " + vols.SequenceItem | rename vols.Broker as "Broker" vols.Volume as "Volume" | table Broker Contract Volume